Introduces a lock while loading credentials from Credential Source #2438
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sruke
requested review from
jmprieur,
jennyf19,
keegan-caruso and
brentschmaltz
IdWeb detects when client certificates were rotated because AAD returns an explicit error
On this error, IDWeb calls ResetCredentials, and retrys the call, which triggers reloading the certificate. This happens here: IdWeb does not do anything with decrypt certificate, as the guidance (with IdWeb) is for service owners to provide several decyrpt credentials, and Wilson tries them all. |
jmprieur
reviewed
Sep 5, 2023
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
jennyf19
approved these changes
Sep 7, 2023
westin-m
approved these changes
Sep 7, 2023
jmprieur
reviewed
Sep 7, 2023
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
sruke
force-pushed
the
sruthi/LoadingLock
branch
from
c4545e5 to
a0ec166
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduces a lock while loading credentials from Credential Source
Summary of the changes
Ensure multiple requests don't attempt to load the same credentialDescription concurrently.
Description
When a customer configures the source of a token decryption certificate in the inbound policy, SAL attempts to load the certificate from the specified source or retrieves the cached certificate if it has been loaded previously. SAL then creates an X509SecurityKey from the certificate and adds it to InboundPolicy.TokenValidationParameters.TokenDecryptionKeys if the key was not already added. This logic is executed for every incoming token validation request, and SAL utilizes ID.Web's implementation of ICredentialLoader to retrieve the certificate.
Until the certificate is cached by ID.Web (i.e., when credentialDescription.CachedValue is set), multiple parallel requests (potentially exceeding 100 incoming requests, as indicated by Keegan) may attempt to load the same certificate from the source. This raises performance concerns, particularly when fetching the certificate involves making an HTTP request (e.g., fetching from KeyVault).
Open Questions:
Note: Unit tests will be added once the design is approved